Closed Bug 201967 Opened 22 years ago Closed 22 years ago

ldap TLS secure conection security issue with subjectAltName certificates

Categories

(Core Graveyard :: Security: UI, defect)

Product:
Core Graveyard
Component:
Security: UI
Version:
Other Branch
Type:
defect
Priority:
Not set
Severity:
major

Tracking

(Not tracked)

Status:
RESOLVED WORKSFORME

People

(Reporter: icoupeau, Assigned: jgmyers)

Details

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.3) Gecko/20030310 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.3) Gecko/20030310 When I configure my address book with a secure ldap conection and the server has a subjectAltName (X509v3 Subject Alternative Name) the browser tell me that the "server" provided in the certificate is not the "server" providad in the certificate. This broken all the HA ldap infractructure. Of course the openldap clients (-ZZ), openssl 096 tools, and pops/imaps clients runs with these certificates without any problem. The ldap connection after this is reset or is basdly clossed when the browser or mail is closed. Tested with 1.1, 1.2.1, 1.3 in NT and XP. Reproducible: Always Steps to Reproduce: 1. Make a x509 certificate with "X509v3 Subject Alternative Name" for your HA LDAP servers. Test it with some client ldapsearch -ZZ... make sure you have inverse resolution, etc, etc. 2. Configure your address book to connect as "secure" to the alt name for the LDAP HA servers 3. The first search the Mozilla ask you that the <server> is not the <server>. 4. the swith secure/non secure mode may not runs or performs not so well. 5. also appears when a https connection to an https cluster is performed (also with altDN extension". Actual Results: The seach may be broken (at last for a while) because the negotiation of the start_tls? Also, when the mozilla is closed, a popup window say some think like "a security connection malformed..." or similar. I don't know if is a casuality, but the security icon appears red-broken in a connection to amazon.com. May be casual, but if Amazon runs H.Availability https servers...
>...certificate... That doesn't look like a security hole -> PSM (for crypto bugs)
Assignee: mstoltz → ssaux
Component: Security: General → Client Library
Product: Browser → PSM
QA Contact: carosendahl → bmartin
Version: Trunk → unspecified
Please provide the domain name of a server with such a certificate.
Assignee: ssaux → jgmyers
Actually, the mozilla en-US; rv:1.6 Gecko/20040113 don't show that error. The bug reported was in the en-US; rv:1.3 Gecko/20030310.
-> wfm Thanks for teh response !
Status: UNCONFIRMED → RESOLVED
Closed: 22 years ago
Resolution: --- → WORKSFORME
Product: PSM → Core
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.